Atomic Indicators are pieces of data that are indicators of adversary activity on their own. Which of the following is an example of an Atomic Indicator?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Atomic Indicators are pieces of data that are indicators of adversary activity on their own. Which of the following is an example of an Atomic Indicator?

Explanation:
Atomic indicators are standalone signals you can detect and attribute to adversary activity without needing to piece together multiple data points. A fully qualified domain name is a concrete, observable artifact in network communications that you can watch for in DNS logs, firewall logs, or network flows. When you see DNS queries or connections to that domain, it directly points to infrastructure the adversary is using, independent of other context. In contrast, an IP address can be less reliable as an atomic signal because IPs can be shared among many services, change rapidly due to CDNs or VPNs, and thus can lead to false positives or ambiguous attribution. A hash of a malicious file is indeed a detectable fingerprint, but it represents a single known sample; if the attacker changes the file, the hash changes, and you’d miss other variants. A static string in a covert C2 channel is tied to a specific protocol and payload pattern, requiring understanding of the channel and context to be meaningful, so it isn’t as portable a standalone indicator. Thus, the domain name stands out as a robust standalone indicator you can detect across environments, making it the best example of an atomic indicator.

Atomic indicators are standalone signals you can detect and attribute to adversary activity without needing to piece together multiple data points. A fully qualified domain name is a concrete, observable artifact in network communications that you can watch for in DNS logs, firewall logs, or network flows. When you see DNS queries or connections to that domain, it directly points to infrastructure the adversary is using, independent of other context.

In contrast, an IP address can be less reliable as an atomic signal because IPs can be shared among many services, change rapidly due to CDNs or VPNs, and thus can lead to false positives or ambiguous attribution. A hash of a malicious file is indeed a detectable fingerprint, but it represents a single known sample; if the attacker changes the file, the hash changes, and you’d miss other variants. A static string in a covert C2 channel is tied to a specific protocol and payload pattern, requiring understanding of the channel and context to be meaningful, so it isn’t as portable a standalone indicator.

Thus, the domain name stands out as a robust standalone indicator you can detect across environments, making it the best example of an atomic indicator.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy